Fortinet black logo

Web filtering

Copy Link
Copy Doc ID 9047fa3e-2a62-11e9-94bf-00505692583a:714816
Download PDF

Web filtering

FortiGuard Web Filtering can help stop infections from malware sites and help prevent communication if an infection occurs.

  • Enable FortiGuard Web Filtering at the network edge.
  • Install the FortiClient application and use FortiGuard Web Filtering on any systems that bypass your FortiGate unit.
  • Block categories such as Pornography, Malware, Spyware, and Phishing. These categories are more likely to be dangerous

Opened ports for Authentication Override in Web Filter Replacement Messages

When a firewall policy is configured with a web filter, AV or application control, or other UTM security profiles, the policy may open up one or more of ports 8008, 8010, 8015 or 8020 for authentication override and data retrieval for replacement messages, depending on the inspection mode.

When a port is open and you try to access the port on HTTP, this may result in the following behavior:

  • FortiGate replies and then redirects to the port with a block message.

  • FortiGate sends a TCP RST to close the connection.

  • FortiGate doesn’t respond.

  • FortiGate does a TCP 3-way handshake, then sends a FIN to close the connection.

Traffic does not leak through the policy. However, in some scenarios such as testing the FortiGate for open ports against PCI compliance, this may result in failure of the test case.

To work around the issue, you can close the above ports by doing the following:

config webfilter fortiguard
    set close-ports enable
end  
Note

When close-ports is enabled:

  • FortiGuard web filter actions Warning and Authenticate in proxy and flow inspection mode will not work.

  • Allow users to override blocked categories will not work.

  • The replacement message will not display the Fortinet logo.

FortiGuard and Local URL Filter blocking will not be affected.

When VDOM is enabled, edit the settings in global:

config global
    config webfilter fortiguard
        set close-ports enable
    end
end  

In the case of Application Control, use the following to disable the use of replacement messages and port 8008:

config application list
    edit <list>
        set app-replacemsg disable
    next
end

If it is acceptable to simply change the ports to a high ephemeral port, the override ports can be changed from here:

  • Default:

    config webfilter fortiguard
        set ovrd-auth-port-http 8008
        set ovrd-auth-port-https 8010
        set ovrd-auth-port-https-flow 8015
        set ovrd-auth-port-warning 8020
    end
  • Update:

    config webfilter fortiguard
        set ovrd-auth-port-http <high port>
        set ovrd-auth-port-https <high port>
        set ovrd-auth-port-https-flow <high port>
        set ovrd-auth-port-warning <high port>
    end

Web filtering

FortiGuard Web Filtering can help stop infections from malware sites and help prevent communication if an infection occurs.

  • Enable FortiGuard Web Filtering at the network edge.
  • Install the FortiClient application and use FortiGuard Web Filtering on any systems that bypass your FortiGate unit.
  • Block categories such as Pornography, Malware, Spyware, and Phishing. These categories are more likely to be dangerous

Opened ports for Authentication Override in Web Filter Replacement Messages

When a firewall policy is configured with a web filter, AV or application control, or other UTM security profiles, the policy may open up one or more of ports 8008, 8010, 8015 or 8020 for authentication override and data retrieval for replacement messages, depending on the inspection mode.

When a port is open and you try to access the port on HTTP, this may result in the following behavior:

  • FortiGate replies and then redirects to the port with a block message.

  • FortiGate sends a TCP RST to close the connection.

  • FortiGate doesn’t respond.

  • FortiGate does a TCP 3-way handshake, then sends a FIN to close the connection.

Traffic does not leak through the policy. However, in some scenarios such as testing the FortiGate for open ports against PCI compliance, this may result in failure of the test case.

To work around the issue, you can close the above ports by doing the following:

config webfilter fortiguard
    set close-ports enable
end  
Note

When close-ports is enabled:

  • FortiGuard web filter actions Warning and Authenticate in proxy and flow inspection mode will not work.

  • Allow users to override blocked categories will not work.

  • The replacement message will not display the Fortinet logo.

FortiGuard and Local URL Filter blocking will not be affected.

When VDOM is enabled, edit the settings in global:

config global
    config webfilter fortiguard
        set close-ports enable
    end
end  

In the case of Application Control, use the following to disable the use of replacement messages and port 8008:

config application list
    edit <list>
        set app-replacemsg disable
    next
end

If it is acceptable to simply change the ports to a high ephemeral port, the override ports can be changed from here:

  • Default:

    config webfilter fortiguard
        set ovrd-auth-port-http 8008
        set ovrd-auth-port-https 8010
        set ovrd-auth-port-https-flow 8015
        set ovrd-auth-port-warning 8020
    end
  • Update:

    config webfilter fortiguard
        set ovrd-auth-port-http <high port>
        set ovrd-auth-port-https <high port>
        set ovrd-auth-port-https-flow <high port>
        set ovrd-auth-port-warning <high port>
    end